Privacy Policy

1 - GENERAL PROVISIONS


Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter RGPD), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.

Subsequently, and in order to implement the modifications of the RGPD, the law n°78-17 of January 6, 1978, known as "Informatique et libertés", was modified by the law n°2018-493 of June 20, 2018 by the ordinance n°2018-1125 of December 12, 2018 relating to data protection.

This policy is implemented by the ADRT of Pas-de-Calais (hereinafter referred to as "the ADRT"), whose main activities are the development of the tourist offer, the promotion of tourist destinations and the marketing of the Pas-de-Calais tourist offer.


Purpose and scope
This personal data protection policy is intended to apply to the processing of personal data of our customers, partners and prospects.

As such, the purpose of this policy is to satisfy the information obligation of ADRT and thus to formalise the rights and obligations of clients, partners and prospects with regard to the processing of their data.

This policy relates only to the processing for which we are responsible and to data described as "structured".

The processing of personal data may be managed directly by our TDRA or through a subcontractor specifically appointed by it.

2- PERSONAL DATA COLLECTED


As part of your registration for the Voyage au Centre de la Tech, you may be asked to provide us with some of your personal data. All these personal data are subject to automated processing. This processing is carried out with your consent and in compliance with the applicable legislation.

This may include the following personal data:
  • Name, first name
  • Postal code
  • City
  • E-mail
  • Structure
  • Function

Purposes of collecting personal data

The information collected is used solely for communication purposes.
Pas-de-Calais Tourisme guarantees that your personal data will not be processed for purposes other than those set out above.

Under no circumstances will your personal data be processed for purposes other than those for which we have legal obligations, legitimate interests or for which you have given your consent.

If our services were to process your personal data for purposes other than those mentioned above, this Privacy Policy would be updated and subject to your consent.

3 - RECIPIENTS OF THE DATA


We ensure that data is only accessible to authorised internal or external recipients who are subject to an appropriate obligation of confidentiality.

Internally, we decide which recipient will be able to access which data according to an authorisation policy.

All accesses concerning processing of personal data are subject to a traceability measure.

Furthermore, personal data may be communicated to any authority legally entitled to know about it. In this case, we are not responsible for the conditions under which the personnel of these authorities have access to and use the data:

  • The authorised personnel within our structure (personnel in charge of marketing, customer relationship management, service providers and prospects, administrative personnel, personnel in charge of IT) and their line managers.

4 - PERSONAL RIGHTS


Right of access and copy
Participants traditionally have a right to request confirmation as to whether or not their data are being processed.

They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.

In such a case, the client, partner or prospect must formulate his request himself and there must be no doubt as to his identity. Failing this, we reserve the right to request any element that would allow the participant to be identified, such as a copy of an identity document.

Participants have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospects to pay for this cost.

If participants submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.

Participants are informed that this right of access may not relate to confidential information or data, or data for which the law does not allow disclosure.

The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilising the service concerned.

Updating - updating and rectification
We comply with requests for updates:
  • automatically for online changes to fields that can technically or legally be updated;
  • on written request from the person himself/herself who must prove his/her identity.

Right to erasure
The participant's right to erasure will not apply in cases where the processing is carried out in order to comply with a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limited cases

  • personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to processing that is necessary for the purposes of our legitimate interests and there is no compelling legitimate reason for the processing;
  • the data subject objects to the processing of his or her personal data for the purpose of marketing, including profiling;
  • the personal data have been processed unlawfully.

Right to limitation
Participants are informed that this right is not intended to apply insofar as the processing operations we carry out are lawful and all personal data collected are necessary for the implementation of the purposes of the processing thereof.

Right to portability
We grant requests for data portability in the particular case of data provided by the participants themselves, on our online services and for purposes based solely on the consent of the individuals and the performance of a contract. In this case, the data is provided to the applicant in a structured, commonly used and machine-readable format.

Automated individual decision making
We do not make any automated individual decisions.
The tools offered on our website are only tools to help customers and prospects and should not be considered otherwise.

Post-mortem rights
Participants are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data.

Exercise of rights
The exercise of the aforementioned rights is carried out, at the choice of the person concerned, by e-mail or by post to the following address: dpo-pasdecalais.tourisme@racine.eu or 40 rue de Courcelles, 75008 Paris.

5 - ADDITIONAL PROVISIONS


Optional or compulsory nature of answers
Participants are informed of the compulsory or optional nature of the answers by the presence of an asterisk on each personal data collection form submitted to them. If answers are compulsory, we explain the consequences of not answering.

Right of use
Our TDRA is granted the right to use and process personal data for the purposes set out above.

However, the enriched data which are the result of processing and analysis on our part, otherwise known as enriched data, remain our exclusive property (analysis of usage, statistics, etc.).

Subcontracting
We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we will ensure that the subcontractor complies with its obligations under the GDPR.

We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on subcontractors as we do ourselves. In addition, we reserve the right to audit our processors to ensure compliance with the provisions of the GDPR.

Cross-border flows
Our TDRA reserves the right to decide whether or not to have transborder flows of personal data that it processes.

If personal data is transferred to a country outside the European Union or to an international organisation, we will inform you and ensure that your rights are respected. If necessary, we will sign one or more contracts to govern transborder data flows.

The provisions relating to cross-border data flows are enforceable against us, except in the derogations provided for in Article 49 of the GDPR.

Register of processing operations
As a data controller, we undertake to keep an up-to-date register of all processing activities carried out.

This register is a document or application that allows us to identify all the processing activities that we carry out as a controller.

We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of the processing with the data processing and liberties regulations in force.

6 - SECURITY


Security measures
It is our responsibility to define and implement the technical security measures, physical or logical, that we deem appropriate to combat the destruction, loss, alteration or unauthorised disclosure of data in an accidental or illicit manner.

To this end, we may engage the assistance of any third party of our choice to conduct vulnerability audits or penetration tests at such intervals as we deem necessary.

In any event, we undertake, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors by means of technical measures to protect this data and the appropriate human resources.

Data breach
In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the RGPD.

If the said breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.

7 - CONTACTS


Data Protection Officer
We have appointed a data protection officer whose contact details are as follows
Me Eric BARBRY, of Cabinet Racine located at 40, rue de Courcelles in Paris 75008 France, dpo-pasdecalais.tourisme@racine.eu.

In the event of new processing of personal data, we will first contact the data protection officer.

If you wish to obtain specific information or ask a specific question, you may contact the Data Protection Officer who will give you an answer within a reasonable timeframe with regard to the question asked or the information required.

In the event of a problem with the processing of your personal data, you may contact the Data Protection Officer.

Right to lodge a complaint with the CNIL
Participants concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of their personal data does not comply with the European data protection regulations, at the following address

Cnil - Service des plaintes
3 Place de Fontenoy- TSA 80715 - 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22

Changes
This policy may be amended or modified at any time in the event of changes in legislation, case law, CNIL decisions and recommendations or practices.

Any new version of this policy will be brought to the attention of the participants by any means that we will define, including electronically (distribution by e-mail or online for example).

For any additional information, you can contact the DPO at the above-mentioned address:

dpo-pasdecalais.tourisme@racine.eu

For any other more general information on the protection of personal data, you can consult the Cnil website www.cnil.fr.